Incidents like the recent Qantas cyber-attack can be discussed from many angles. One aspect is how such events might impact people’s mental wellbeing and their behaviour online.

The internet has become deeply woven into the fabric of our daily lives. Everyday tasks such as shopping, arranging deliveries, making inquiries, messaging, connecting with others, and accessing information often require us to go online. In many cases, we also need to share personal information and accept that this information will be stored to access products and services.

But what happens when we start feeling unsafe or concerned about these online activities? What if we develop negative attitudes towards the very platforms we rely on?

When people feel vulnerable online—for example, worried about the safety of their shared or stored personal information—it can be expected to have a range of effects. Two consequences could be: ‘the decline in mental wellbeing’ and ‘the development of dysfunctional online behaviours’.

Whether you were personally affected by the Qantas cyber-attack or simply heard about it in the news, such incidents may increase your sense of risk and vulnerability in digital spaces. After all, many services ‘require’ us to share personal details and trust that our information is safe.

Incidents like the Qantas cyber-attack may trigger negative thoughts or ongoing worry—for example, persistent concerns about your accounts being hacked, your financial information being stolen, or even the possibility of blackmail. These concerns can understandably take a toll on your mental health, potentially leading to anxiety and heightened stress.

These worries may also affect how people behave online, especially when it comes to sharing personal information. Some individuals may react by providing incomplete personal information, fabricating their personal information, or avoiding certain online services altogether. While understandable, such behaviours can be dysfunctional in many cases—for example, missing out on essential products or services that are only available online, or contributing to broader issues of mistrust in digital systems.

Overall, incidents like cyber-attacks can be expected to negatively impact users, reduce the quality of their online experiences, and create challenges for the digital systems.

Adopting a mindful-conscious approach to the online world can help. For example, only sharing personal information when it’s absolutely necessary and following basic self-protection strategies—like using different passwords for different accounts and updating passwords regularly—are good habits to develop.

While cyber-attacks such as Qanta cyber-attack are not the fault of the user, these simple steps can reduce the overall risk. For instance, if one account is compromised, your other accounts may still remain secure, limiting the damage.

In the last couple of years, we have seen an increase in the number of notifiable data breaches in Australia, with the second half of 2024 seeing 595 reported breaches - a 15% increase from the first half of 2024. While the majority (63% from H2-2024) of these breaches affect a small number of people (less than 100), every now and again we get these breaches that affect millions of people, such as the Qantas data breach. It is easy to lose ourselves in the details of cyberattack, how the threat actor (probably Scattered Spider) pulled it off, how relevant cyber threat intelligence could have informed appropriate defences for Qantas, et cetera.

However, an important perspective is that when these large-scale cyber incidents occur, they shine a spotlight on and call into question our collective cyber resilience capabilities - the ability of everyone affected (not just Qantas) to have prepared, to limit the negative impact, to recover, and to learn from the data breach.

In this case, it is good to see some these collective cyber resilience mechanisms kicking into action and being exercised - the coordination and oversight mechanisms with the Australian Cyber Security Centre, the compliance mechanisms through the Australian Privacy Principles and with the Australian Information Commissioner, the criminal investigation mechanisms with Australian Federal Police, and incident response support mechanisms with the private sector. It’s only by learning from such incidents that, as whole-of-society, we are better prepared to deal with future incidents and to collectively become more cyber resilient.

The Qantas data breach, affecting up to six million customers, is a stark reminder of the vulnerabilities inherent in third-party platforms. The exposure of personal information such as names, email addresses, and frequent flyer numbers can lead to targeted phishing attacks and identity theft. This incident highlights the critical need for organizations to rigorously assess and continuously monitor the security practices of their vendors.

An organization’s cybersecurity isn’t just about protecting internal systems; it also requires ensuring that partners and service providers adhere to the same high standards. These recurring cyberattacks in Australia demonstrate that many organizations are still neglecting cybersecurity. It must be treated with the utmost importance. Proactive cybersecurity measures must be implemented without delay to safeguard both corporate integrity and customer trust.

Customers must change their email passwords and, if not already done, incorporate multi-factor authentication. Also, be very vigilant for scam calls, texts and phishing emails. Given the stolen information, sophisticated scammers will target these affected customers. Law enforcement agencies investigating this incident should closely monitor the Dark Web to determine whether the stolen data is being used for further exploitation. 

Qantas has confirmed that a criminal actor broke into a third-party contact-centre platform, exposing the personal details of up to six million passengers including their names, email addresses, phone numbers, and dates of birth. While the airline rightly stresses that passwords, PINs, and payment data were not stored on that system, the leaked identifiers are still a powerful weapon for follow-on fraud.

Attackers can craft highly convincing phishing emails or text messages that quote a customer’s flight history or status tier to harvest login credentials or two-factor codes. Customers should prepare for a wave of convincing scams that exploit the leaked details. Rapid, transparent disclosure, as Qantas has begun, is critical to maintaining public trust, but we also need sector-wide threat-intelligence sharing so that other carriers can harden similar systems before they are hit next. Research is also a critical element enabling the practice.

It’s very early but it appears as if the information stolen would be most useful to try to log in to people’s frequent flyer accounts. In many cases these are protected only by a 4 digit PIN, so we should definitely expect accounts to be compromised as a result of this breach.

Qantas provides notification emails when they detect unusual login activity. So people should be on the lookout for those emails in the coming days.

Changing your PIN may be advisable especially if you have used a very common PIN, such as 1234, 1111 etc.

The hacking group suspected of carrying out this attack has a track record of breaching large organisations. This is a timely reminder for other airlines to be monitoring their networks for signs of suspicious activity.

The Qantas breach is a reminder that even iconic institutions are vulnerable when vendor oversight and identity controls are weak. This attack, stemming from a third-party vendor, highlights the urgent need for stronger oversight of external partners. It is critical to implement regular audits, enforceable security obligations, and continuous monitoring for vendors handling sensitive data. Strengthening identity verification using phishing-resistant multi-factor authentication is equally vital, especially to prevent breaches through compromised credentials.

While AI was not a factor in the Qantas breach, we can’t underestimate that future attacks will be far more sophisticated, with deepfake audio and video posing serious challenges. Building cyber resilience today is essential to prepare for the even more complex threat landscape of tomorrow.

Despite investment of additional $230 million in customer experience in serving more than 50 million passengers annually (source: Qantas annual report 2024), Qantas has unfortunately been hit by a cyberattack at one of their contact centres that has compromised records of 6 million customers (approx. 12% of their customer base). This data consists of names, email addresses, phone numbers, birth dates and frequent flyer numbers. The more confidential data such as financial information, passport details, and login credentials have not been stored in this system, however, given the breach of identifiable data, it is just a matter of time until we see targeted secondary attacks, ransomware, phishing and identity theft stemming from this attack.
 
The attack is presumed to be initiated by the Scattered Spider (or UNC3944) group, a financially motivated threat actor based in the USA and UK. Their past attacks have been targeted at large organisations with large help desk functions implemented through third-party providers. These third-party providers are allegedly more vulnerable to social engineering methods of attack. This Qantas attack is similar given it is a third-party customer servicing (technology) platform within one of their many contact centres.
 
The Qantas Group has several cyber/data safeguards in place, including Data Governance Frameworks, Cyber and Information Management Committees, and the Three Lines risk management model. It is quite likely these safeguards ensured the protection of customer financial data within separate and more secure access systems. However, it is now important to examine if the Group’s third-party providers and contractors apply similar safeguards and follow industry regulation and best practices in cybersecurity.
 
Given the attack history of Scattered Spider, specifically targeting enterprise customers of Snowflake's cloud infrastructure, it is critical that all other airlines (and large, distributed organisations in other sectors) with similar operating models - that conduct business operations through third party providers - are on high alert and monitor all channels and infrastructure for potential attacks.
 
The attack was first detected on Monday, but customers and the public were informed on Wednesday, this delay translates to more than 48 hours for subsequent targeted/personalised attacks towards individual customers. The Australian government and relevant authorities must do better in managing the communications, impact and loss following cyberattacks.

Cyber hygiene needs more attention with the increase in attacks on customer data. With the increasing use of Artificial Intelligence (AI), cyberattacks are becoming more frequent, necessitating the need for more robust security and privacy tools to defend against them. With this increased sophistication and complexity, organisations must focus on using new technologies, such as AI, machine learning, and blockchain, to prevent such events.

We cannot avoid human errors that lead to data breaches. Still, we can help reduce these errors by maintaining strict cyber hygiene and implementing effective cyber awareness for teams involved in accessing and collecting data. There needs to be more transparent regulations and guidelines for collecting this data, with only the essential information being collected, based on the context. Although weak passwords can be blamed for most data breaches, it is evident that higher layers of defence are needed to prevent such breaches.

Passwords are only one piece of this big jigsaw puzzle, and there are many other players, such as multi-factor authentication and encryption, that we can use to stop such attacks. It is also crucial to learn from previous attacks and ensure that proper action is taken to prevent such cyberattacks again.

Cyber security threats posed by cyber criminals but also by nation states and their aligned groups are set to increase. Data minimisation is a crucial risk mitigation measure. Sadly, it often receives insufficient attention in the corporate race to increase their value of their data holdings.

The Qantas data breach is a reminder that all information has value.  From the information revealed so far, the data breach is limited to name, email address, phone number, birthday and the frequent flyer number – no credit card numbers, account PINs or passwords have been part of the breach.

The stolen information is insufficient to directly access a Qantas account as this requires a PIN and password, however, if coupled with other data breaches (that may include passwords), there is potential for cyber criminals to combine information which may expose accounts to compromise.  Users who have not activated additional security controls (e.g. Multi Factor Authentication) or who have re-used a password from another system would be advised to change their password and setup MFA.

Qantas have confirmed that the attack targeted a call centre and does not impact the safety of the airline and that no other personal information has been disclosed.  While this is reassuring, it again highlights that all organisations need to review cyber security controls regularly and that customers should be vigilant – checking accounts and transactions regularly.

As a general piece of advice, individuals should never re-use passwords on any system or service – use a password manager to assign unique passwords on every system you use and/or enable MFA (or use Passkeys) wherever possible.

The Qantas data breach at one of its customer service centres is a typical event that shows the wide span of cyber activity of a generally criminal nature. The stolen customer data has a value in its capacity for resale among criminal actors interested in perpetrating computer-enabled fraud and gaining access to the victims’ other online accounts.

Qantas is fortunate that its aviation operations are unaffected, and it will need to reassess the security posture of its customer service component. There is an underlying problem in the complication of these systems and the failure in protecting them. Knowing how to invest in cybersecurity and manage an efficacious cybersecurity team remain challenges with which most commercial entities still struggle.